If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Script for simple AV evasion (tested on AVG, Avast, Emisoft)

Hey,
I wrote a simple shell script to bypass AV's like AVG, Avast and emisoft.
It certainly will not bypass all AV's. Just the easy ones
The script can be downloaded here : http://home.base.be/%72%68%69%6E%63%...reatetrojan.sh
I saw somebody demonstrate this method of av evasion in a youtube video and I decided to write a script for it to speed up the process.
The script let's you choose between 2 payloads. the meterprer/reverse_tcp and the shell_reverse_tcp. (feel free to add more)
It let's metasploit generate the code for the payloads and then puts them in a template.c from the metasploit framework and fils it with some random junk and then compiles it with mingw32. So be sure you have mingw32 installed

Code:

apt-get install mingw32

The script also has the option to use your external ip adress and will look it up for you on a Belgian website.
This is just a fun feature I added. So don't use it for anything illegal

If you want to scan the trojan the script creates with multiple AV's, pls use http://vscan.novirusthanks.org/
And be sure to select the "do not distribute this sample" option so it won't get detected that quickly.

If it get's detected after a month or so, you can always change the variable names and the random junk in the c file.
This will probably make it undetectible again for the easy AV's ofcourse

(\ /)
( . .)
c(")(")

This is bunny.
Copy and paste bunny into your signature to help him gain world domination.

Re: Script for simple AV evasion (tested on AVG, Avast, Emisoft)

Originally Posted by m0j4h3d

man .. i tried it .. but i cannot see the file results !!! any idea

What do you mean ?
you can't find the exe output file of the script ?
It's in /root/Desktop and the script also asks you if you want to copy it to /var/www
This script was written for the gnome version of backtrack. So if you use KDE I think you need to change /root/Desktop to /root/ in every line.

Last edited by LHYX1; 07-19-2011 at 03:11 PM.

(\ /)
( . .)
c(")(")

This is bunny.
Copy and paste bunny into your signature to help him gain world domination.